Tron Squashes Bug That Could Have Killed it

Reading Time: 2 minutes

It’s not been a good couple of weeks for Tron as it reveals that it stomped a bug that had the potential to cripple and kill the entire network. On January 14th, a bug was reported that would have allowed a single computer to send a request to the network that could jam it up indefinitely. Once the attacker had launched his or her attack, the Tron network would either become unstable or simply inaccessible until the hacker decided to stop the attack. This bug could have potentially killed Tron and left it a barren wasteland that nobody will ever touch again. Thankfully, the bug was reported and Tron has now patched the bug.

Tron Paying Out a Bug Bounty

Tron’s saving grace was its bug bounty rewards program, whereby hackers are incentivized to disclose bugs and vulnerabilities for a quick – and legal – payday. The bug was flagged as high severity with 8.9 points out of a possible 10. For the hard work of uncovering the bug, the hacker was awarded $1,500 – a rather measly sum of money for such an important bug, don’t you think?

Clogging the CPU Power with Requests

Before the bug was fixed, Tron was using a JSONObject.parse that used Feature.UseBigDecimal.getMask(); by default. It takes around 2-3 minutes to run a BigDecimal(“10000000e100000000”).longValue(); on a top of the range Macbook Pro. Now, if the hacker ran the */wallet/deploycontract with all six fields using the UseBigDecimal then it would clog the system for 12 minutes – presuming 2 minutes per parse. Data would then be moved from Eden memory – active memory – to old memory storage, making it very difficult to clean up the mess created. This in turn would clog up the system even further, rending Tron dead in the water. It might seem a bit complicated, but in fact it’s very simple to perform – if you have a little blockchain development knowledge.

Tron Pulling Stunts

Just before this crippling bug was disclosed to the world, Tron had announced its developer guide. However, Tron quickly deleted it after people realized it was simply a list of places you could by TRX. Tron is looking more and more like a project run by an incapable teenager with every passing week, and the developer guide debacle is the icing on the cake.

Thankfully, Tron managed to squish this dangerous bug, but who knows how many more are lurking in its code. Multiple researchers have compared to Tron’s code to the “Frankenstein of Crypto”. This gives the impression that there are many flaws waiting to be exposed!

Comments (No)

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.